Thread-topic: [SA25469] Mozilla Firefox Multiple Vulnerabilities
>
> TITLE:
> Mozilla Firefox Multiple Vulnerabilities
>
> SECUNIA ADVISORY ID:
> SA25469
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/25469/
>
> CRITICAL:
> Highly critical
>
> IMPACT:
> Security Bypass, Spoofing, Exposure of sensitive information, DoS,
> System access
>
> WHERE:
> From remote
>
> REVISION:
> 1.1 originally posted 2007-05-31
>
> SOFTWARE:
> Mozilla Firefox 1.x
> http://secunia.com/product/4227/
> Mozilla Firefox 2.0.x
> http://secunia.com/product/12434/
>
> DESCRIPTION:
> Some vulnerabilities have been reported in Mozilla Firefox, which can
> be exploited by malicious people to conduct spoofing attacks, bypass
> certain security restrictions, and potentially compromise a user's
> system.
>
> 1) Errors in the JavaScript engine can be exploited to cause memory
> corruption and potentially to execute arbitrary code.
>
> 2) An error in the "addEventListener" method can be exploited to
> inject script into another site, circumventing the browser's
> same-origin policy. This could be used to access or modify sensitive
> information from the other site.
>
> 3) An error in the handling of XUL popups can be exploited to spoof
> parts of the browser such as the location bar.
>
> SOLUTION:
> Update to version 2.0.0.4 or 1.5.0.12.
>
> PROVIDED AND/OR DISCOVERED BY:
> The vendor credits:
> 1) Boris Zbarsky, Eli Friedman, Georgi Guninski, Martijn Wargers,
> Olli Pettay, Brendan Eich, Igor Bukanov, Jesse Ruderman,
> moz_bug_r_a4, and Wladimir Palant
> 2) moz_bug_r_a4
> 3) Chris Thomas
>
> CHANGELOG:
> 2007-05-31: Added link to US-CERT.
>
> ORIGINAL ADVISORY:
> 1) http://www.mozilla.org/security/announce/2007/mfsa2007-12.html
> 2) http://www.mozilla.org/security/announce/2007/mfsa2007-16.html
> 3) http://www.mozilla.org/security/announce/2007/mfsa2007-17.html
>
> OTHER REFERENCES:
> US-CERT VU#751636:
> http://www.kb.cert.org/vuls/id/751636
>